HTTP Anti-Virus Proxy

Official HAVP Support Forum
Registration disabled, I'm tired of spambots. E-mail havp@hege.li if you have questions.
HAVP project is pretty much frozen/abandoned at this time anyway.
It is currently 22 Jun 2014 09:52

All times are UTC + 2 hours [ DST ]




Post new topic Reply to topic  [ 23 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: 19 Apr 2008 00:11 
Offline

Joined: 01 Sep 2007 01:02
Posts: 18
Dang, you are correct.

Back to the old drawing board! I'm determined to fix this so I'll post an update if I figure something out.


Top
 Profile  
 
PostPosted: 19 Apr 2008 19:48 
Offline

Joined: 19 Apr 2008 19:16
Posts: 13
Hi,

Apolo_1 I am interested in your configurations. Do you could show? I have many problems to configure correctly dansguardian + havp (clamav) + squid.

If anyone has any similar configuration would be a great help. I am a novice and I find it difficult to understand some things because my English is not very good.

What is the difference between client-> squid-> havp or client-> havp-> squid?

Thank you all


Top
 Profile  
 
PostPosted: 19 Apr 2008 20:04 
Offline

Joined: 01 Sep 2007 01:02
Posts: 18
jackdragma wrote:

What is the difference between client-> squid-> havp or client-> havp-> squid?

Thank you all


client-> squid-> havp == virus may be cached and sent to client.

client-> havp-> squid == HAVP scans all cache content, but you lose the nice ACL's squid provides.

Best solution remains client->squid(proxy-only)->havp->squid(proxy-cache)

With ACL's on first squid, you can skip havp for certain domains or traffic/file types. This is what I want/need for a high-volume deployment.

*However*, as has been discussed in this thread, it would appear you need to run two separate instances of squid for this to work. Either on two different boxes (example, squid proxy+havp on box 1, squid cache on box 2) or two separate squid process each with unique config files.


Top
 Profile  
 
PostPosted: 20 Apr 2008 06:05 
Offline

Joined: 01 Sep 2007 01:02
Posts: 18
Ok so I just spent a day migrating my config to separate squid processes, one proxy only and the other a proxy/cache.

So far this works great and I think its the right solution for us. Our box is a dual quad-core so having separate processes is better anyway. Additionally, the config files are cleaner and the whole process is better from a security perspective, as you can actually disable all caching on the public squid proxy interface, so no chance of caching malware there.


Top
 Profile  
 
PostPosted: 21 Apr 2008 14:25 
Offline

Joined: 21 Apr 2008 14:21
Posts: 10
Yes, I just observed the same problem today :) I have used the solution provided above, so the topology looks like:

winpc --> dansguardian (8080) --> havp (8090) --> squid (3128)

So once the windows computers try to load a page, it will be checked for forbidden domains by dansguardian, then it will be scanned for viruses and finally what is worth caching will be cached with squid. Additionally, adzapper can be run from squid. Thanks guys.


Top
 Profile  
 
PostPosted: 24 Apr 2008 18:39 
Offline

Joined: 21 Apr 2008 14:21
Posts: 10
Hi guys, seems like the solution above is wrong. Relevant configuration:

dansguardian.conf
filterip = 192.168.50.105
filterport = 8080
proxyip = 127.0.0.1
proxyport = 8090

havp.config
PARENTPROXY 127.0.0.1
PARENTPORT 3128
PORT 8090
BIND_ADDRESS 127.0.0.1

squid.conf
http_port 3128

All works fine, but the virus is cached by squid:
127.0.0.1 TCP_MEM_HIT/200 582 GET http://www.eicar.org/download/eicar.com - NONE/- application/x-msdos-program

How can this be fixed ?
Thanks in advance.


Top
 Profile  
 
PostPosted: 24 Apr 2008 19:23 
Offline

Joined: 01 Sep 2007 01:02
Posts: 18
hydrapolic wrote:

All works fine, but the virus is cached by squid:
127.0.0.1 TCP_MEM_HIT/200 582 GET http://www.eicar.org/download/eicar.com - NONE/- application/x-msdos-program

How can this be fixed ?
Thanks in advance.


It's supposed to be cached by squid. Thats what squid does. It doesn't know that the content in malicious. The important thing is that havp scans all the cached content and doesn't deliver it to the client.

If you don't want squid to cache viruses, you will either need to write an acl to instruct it to not cache (no_cache) certain file/mime types or write a daemon to watch the havp file and purge objects that have viruses.

I personally like the fact that squid caches malicious objects, as I plan on adding a malware collector that pulls them from the cache and archives them for our bestiary.


Top
 Profile  
 
PostPosted: 24 Apr 2008 19:29 
Offline

Joined: 21 Apr 2008 14:21
Posts: 10
Ok, so it's a feature, not a bug :)

Thanks for the reply, I can sleep calmly now :)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 23 posts ]  Go to page Previous  1, 2

All times are UTC + 2 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group